Retired Senior (now termed Chief) District Judge Richard Magnus to chair the COI

The cybersecurity attack on SingHealth’s IT system, resulting in the exfiltration of 1.5 million patients’ non-medical personal data and 160,000 patients’ dispensed medicines data, is the most serious breach of personal data that Singapore has experienced.

2 The Cyber Security Agency (CSA)’s investigations have established that the attack was deliberate, targeted and carefully planned. It was not the work of casual hackers or criminal gangs. Prime Minister Lee Hsien Loong’s personal particulars and outpatient medication data were specifically and repeatedly targeted.

Committee of Inquiry

3 This incident has serious public health and safety implications. Therefore, the Minister-in-Charge of Cybersecurity, Mr S Iswaran, will convene a Committee of Inquiry (COI) under Section 9 of the Inquiries Act (Cap 139A). Mr Richard Magnus, a retired Senior (now termed Chief) District Judge and member of the Public Service Commission, has agreed to chair the COI.

4 The COI will establish the events and contributory factors leading to the cybersecurity attack, and the incident response. It will also recommend measures to better manage and secure SingHealth’s and other public sector IT systems against similar cybersecurity attacks in future.

5 The COI’s composition and Terms of Reference will be announced at a later date.

Government to Take Immediate Actions to Strengthen IT Systems

6 Meanwhile, the Government will take immediate action to strengthen our IT systems against similar cybersecurity attacks. The Minister-in-Charge of Cybersecurity has directed CSA to work closely with all 11 key sectors1 to enhance the cybersecurity of their Critical Information Infrastructure systems.

7 The Smart Nation and Digital Government Group (SNDGG) has completed a scan of all government systems and found no evidence of compromise. SNDGG will pause the introduction of new ICT systems while it reviews the cybersecurity measures of government systems, and implements any additional security safeguards which are necessary.

Ensuring Cybersecurity in the Digital Age

8 While we will do our utmost to secure our IT systems from attack, unfortunately we cannot completely eliminate the risk of another cybersecurity attack. Every country is under threat, and the attackers are constantly developing new techniques and probing for fresh weaknesses in IT systems. However, we must not allow this incident, or any others like it, to derail our plans for a Smart Nation. We must adapt ourselves to operate effectively and securely in the digital age, to deliver better public services, enhance our economic competitiveness, and create good jobs and opportunities for Singaporeans.

9 The Government takes with utmost seriousness its responsibility of ensuring the security of public sector IT systems and databases. We will learn from the experience of this deliberate and sophisticated cybersecurity attack, and implement measures to better secure our public sector IT systems and databases, and uphold public trust in our systems.

[1]Energy, Water, Banking and Finance, Healthcare, Transport (which includes Land, Maritime, and Aviation), Infocomm, Media, Security and Emergency Services, and Government.

MCI Response to PQ on Collection of NRIC and Personally Identifiable Information by Security Officers at Commercial and Private Residential Facilities Parliament QAs Personal Data, Others 30 Nov 22
MCI Response to PQ on Assessment of Risk and Impact of Quantum Computing Technology and Efforts to Ensure Encrypted Digital Records and Communications Networks Remain Secure Parliament QAs Digital Readiness, Others, Government Technology 29 Nov 22
MCI Response to PQ on Measures in Place to Safeguard Privacy and Data of Users against Illegal Tracking by Tech Companies Parliament QAs Personal Data 28 Nov 22
MCI Response to PQ on Mitigation Strategy to Deal with Cellular Phone Jams at Large-scale Crowd Events Parliament QAs Public Comms, Digital Readiness 28 Nov 22
MCI Response to PQ on Measures to Improve Service Quality of Poor Performing Telcos Parliament QAs Others, Digital Readiness 28 Nov 22
MCI Response to PQ on Publishing Unedited Submissions from Individuals and Industry Players in Public Consultations on Proposed Legislation Parliament QAs Others, Public Comms, Personal Data 28 Nov 22